WS-Fed app integrations

Web Services Federation (WS-Fed) is an XML-based protocol used for Single Sign-On (SSO). Typically, WS-Fed is used to sign on to legacy Windows-based web applications and Microsoft Office 365, where Okta acts as an authorization server or Identity Provider (IdP).

Admins can browse the OIN catalog and set the filter to search for app integrations with WS-Federation as a capability. When added to an org and assigned to an end user by an admin, the WS-Fed app integration appears as a new icon on the End-User Dashboard.

Okta as Identity Provider

Okta supports integrating with WS-Fed applications as an IdP that provides SSO to external applications.

When users request access to an external application registered with Okta, they are redirected to Okta. As the IdP, Okta then delivers a WS-Fed assertion to the browser. The browser uses that assertion to authenticate the user to the application.

Okta as a WS-Fed Identity Provider

  1. Using WS-Fed, the user attempts to access client applications protected by Okta.
  2. Client applications act as WS-Fed Service Providers (SP) and delegate the user authentication to Okta. The client applications send a SAML assertion to Okta to establish the user session.
  3. Okta acts as the WS-Fed Identity Provider and uses SSO and Multifactor Authentication (MFA) to authenticate the user.
  4. Okta returns a WS-Fed assertion to the client applications through the end user's browser.
  5. The client applications validate the returned assertion and allow the user access to the client application.
Note

Users, client applications, and external IdPs can all be located on your intranet and behind a firewall, as long as the end user can reach Okta through the internet.

Related topics

Configure WS-Federation for Office 365

Microsoft Office 365 - Okta Integration Network